I am trying to figure out how I can retain personal SSH keys (probably the most important part, or at least important to have an alternative connection method) while also having modern tools like SSO or at least SAML, some way to federate to different ADs.

I know there are a few things out there like Authentik and Authelia, but not 100% sure Authentik covers those needs above. Does anyone have experience with these or other modern LDAP alternatives that work well with Linux?

  • @[email protected]
    link
    fedilink
    117 months ago

    The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:

    • oauth2
    • ssh key distribution
    • RADIUS
    • PAM/SSSD
    • LDAP

    I just noticed they have a beta for multimaster replication, which is nice.

    I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.

    • Possibly linux
      link
      fedilink
      English
      37 months ago

      You also could add Samba Active Directory to the list. It isn’t necessarily better but it is good for mixed environments

  • @[email protected]
    link
    fedilink
    77 months ago

    Maybe I’m just nostalgic but I think a classic IPA doesn’t need a modern twist. I’m all for IPA open sourcing their beer; heck, free beer is good enough for me.

    In all seriousness though, I already saw a user recommend kanidm. I can vouch for kanidm; written in Rust, it allows offline authentication and offline caching of user info, which is really handy if you’re in a situation with poor internet connectivity. kanidm is feature rich:@[email protected] already mentioned OAuth2 support, LDAP, RADIUS; etc. It even supports TOTP!! Kanidm doesn’t support SAML IIRC, But SSO can be achieved through OAuth2 with OIDC.

    From kanidm’s Github:

    Kanidm aims to have the features richness of FreeIPA, but without the resource and administration overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for search operations and 5 times faster for modification and addition of entries (your results may differ however, but generally Kanidm is much faster than FreeIPA).

    https://github.com/kanidm/kanidm

  • @[email protected]
    link
    fedilink
    English
    57 months ago

    It’s my understanding that FreeIPA can federate with Active Directory, but personally I haven’t tried that myself. As for Authentik, it looks interesting but it’s the first I’ve heard of it. I also rely on FreeIPA’s certmonger implementation, so I wonder if Authentik could replace that?

    Just to understand your use case, you have users in Active Directory where you want to manage SSH keys and be able to login via SSH to linux machines?

    • astraeusOP
      link
      fedilink
      27 months ago

      Yeah, users in AD and the FreeIPA replacement essentially handles the SSH key management + middle-man the auth to Linux servers.

        • astraeusOP
          link
          fedilink
          17 months ago

          I think my main concern is FreeIPA’s longevity. As a tool, it’s rather outdated even in its latest version. It works, but the upkeep on it is not quite robust. Its implementation of AD standards are also limited. This is why I’m looking for an alternative to FreeIPA.

  • @[email protected]
    link
    fedilink
    English
    27 months ago

    I’m sorry for worthless comment in advance. I’ve never heard of FreeIPA, but I’d definitely get free IPA ;-)

    • @[email protected]
      link
      fedilink
      27 months ago

      IPA beer is good for sure. freeIPA is a central way to manage Linux devices. manage users ssh keys and even limiting sudo commands with sudo rules. and some other things. It can not do everything active directory does but their sure are a load of similarities.

  • @Evotech
    link
    27 months ago

    You could enroll all your servers into a pam, and let that manage your keys. https://goteleport.com/ for instance has open source core and is quite easy to get started with.